Boot Loader Passwords - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual
Hide thumbs
Also See for ENTERPRISE LINUX 5 - DEPLOYMENT:
- Manual (402 pages) ,
- Configuration (86 pages) ,
- Overview (68 pages)
Table of Contents
Advertisement
Chapter 43. Securing Your Network
user mode, which in turn allows them to start arbitrary processes on the system or copy sensitive
data.
2. Preventing System Booting — Some BIOSes allow password protection of the boot process.
When activated, an attacker is forced to enter a password before the BIOS launches the boot
loader.
Because the methods for setting a BIOS password vary between computer manufacturers, consult the
computer's manual for specific instructions.
If you forget the BIOS password, it can either be reset with jumpers on the motherboard or by
disconnecting the CMOS battery. For this reason, it is good practice to lock the computer case
if possible. However, consult the manual for the computer or motherboard before attempting to
disconnect the CMOS battery.
43.1.2.1.1. Securing Non-x86 Platforms
Other architectures use different programs to perform low-level tasks roughly equivalent to those of
the BIOS on x86 systems. For instance, Intel® Itanium™ computers use the Extensible Firmware
Interface (EFI) shell.
For instructions on password protecting BIOS-like programs on other architectures, refer to the
manufacturer's instructions.
43.1.2.2. Boot Loader Passwords
The primary reasons for password protecting a Linux boot loader are as follows:
1. Preventing Access to Single User Mode — If attackers can boot the system into single user mode,
they are logged in automatically as root without being prompted for the root password.
2. Preventing Access to the GRUB Console — If the machine uses GRUB as its boot loader, an
attacker can use the GRUB editor interface to change its configuration or to gather information
using the cat command.
3. Preventing Access to Insecure Operating Systems — If it is a dual-boot system, an attacker can
select an operating system at boot time (for example, DOS), which ignores access controls and
file permissions.
Red Hat Enterprise Linux ships with the GRUB boot loader on the x86 platform. For a detailed look at
GRUB, refer to the Red Hat Installation Guide.
43.1.2.2.1. Password Protecting GRUB
You can configure GRUB to address the first two issues listed in
Passwords"
by adding a password directive to its configuration file. To do this, first choose a strong
password, open a shell, log in as root, and then type the following command:
/sbin/grub-md5-crypt
When prompted, type the GRUB password and press Enter. This returns an MD5 hash of the
password.
604
Section 43.1.2.2, "Boot Loader
Advertisement
Table of Contents
